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Abstract 

We present algorithms to synthesize component-based systems that are safe and deadlock-free using priorities, which 
^—^ define stateless-precedence between enabled actions. Our core method combines the concept of fault-localization (using 

T-H safety-game) and fault-repair (using SAT for conflict resolution). For complex systems, we propose three complementary 

f^ methods as preprocessing steps for priority synthesis, namely (a) data abstraction to reduce component complexities, (b) 

^S| alphabet abstraction and tt-deadlock to ignore components, and (c) automated assumption learning for compositional priority 

j_j synthesis. 

o 

I- Introduction 

t^^ Priorities flS] define stateless-precedence relations between actions available in component-based systems. They can 

be used to restrict the behavior of a system in order to avoid undesired states. They are particularly useful to avoid 
deadlock states (i.e., states in which all actions are disabled), because they do not introduce new deadlock states and 
therefore avoid creating new undesired states. Furthermore, due to their stateless property and the fact that they operate on 
the interface of a component, they are relatively easy to implement in a distributed setting ITtI . ||9|. In a tool paper jTOl , 
^ we presented the tool VlSSBIFlMtogether with a concept called priority synthesis, which aims to automatically generate 

1 I a set of priorities such that the system constrained by the synthesized priorities satisfies a given safety property or 

deadlock freedom. In this paper, we explain the underlying algorithm and propose extensions for more complex systems. 
^^ Priority synthesis is expensive; we showed in 1 11 1 that synthesizing priorities for safety properties (or deadlock- 

2Z. freedom) is NP-complete in the size of the state space of the product graph. Therefore, we present an incomplete search 

QQ framework for priority synthesis, which mimics the process of fault-localization ?ind fault-repair (Section [lll|. Intuitively, 
fT^ a state is a fault location if it is the latest point from which there is a way to avoid a failure, i.e., there exists (i) an 
^-H outgoing action that leads to an attracted state, a state from which all paths unavoidably reach a bad state, and (ii) 
f — . there exists an alternative action that avoids entering any of the attracted states. We compute fault locations using the 
(^) algorithm for safety games. Given a set of fault locations, priority synthesis is achieved via fault-repair: an algorithm 
'""' resolves potential conflicts in priorities generated via fault-localization and finds a satisfying subset of priorities as a 
". . solution for synthesis. Our symbolic encodings on the system, together with the new variable ordering heuristic and 
J> other optimizations, helps to solve problems much more efficiently compared to our preliminary implementation in fTOl. 

Furthermore, it allows us to integrate an adversary environment model similar to the setting in Ramadge and Wonham's 

controller synthesis framework ll22ll . 
d Abstraction or compositional techniques are widely used in verification of infinite state or complex systems for safety 

properties but not all techniques ensure that synthesizing an abstract system for deadlock-freeness guarantees deadlock- 



freeness in the concrete system (Section IV i. Therefore, it is important to find appropriate techniques to assist synthesis 



on complex problems. We first revisit data abstraction (Section TV-A|i for data domain such that priority synthesis 



works on an abstract system composed by components abstracted component-wise |7|. Second, we present a technique 
called alphabet-abstraction (Section |TV-B| i, handling complexities induced by the composition of components. Lastly, 
for behavioral-safety properties (not applicable for deadlock-avoidance), we utilize automata-learning |3| to achieve 
compositional priority synthesis (Section [V]l. 

We implemented the presented algorithms (except connection with the data abstraction module in D-Finder ||8]) in 



the ViSSBIP tool and performed experiments to evaluate them (Section VI i. Our examples show that the process using 
fault-localization and fault-repair generates priorities that are highly desirable. Alphabet abstraction enables us to scale 
to arbitrary large problems. We also present a model for distributed communication. In this example, the priorities 
synthesized by our engine are completely local (i.e., each priority involves two local actions within a component). 

'Shortcut for Visualization and synthesis for simple BIP systems. 



Therefore, they can be translated directly to distributed control. We summarize related work and conclude with an 



algorithmic flow in Section VII and VIII 



II. Component-based Modeling and Priority Synthesis 
A. Behavioral-Interaction-Priority Framework 

The Behavior-Interaction-Priority (BIP) frameworl|^ provides a rigorous component-based design flow for hetero- 
geneous systems. Rigorous design refers to the strict separation of three different layers (behaviors, interactions, and 
priorities) used to describe a system. A detailed description of the BIP language can be found in f6\. To simplify the 
explanations, we focus on simple systems, i.e., systems without hierarchies and finite data types. Intuitively, a simple 
BIP system consists of a set of automata (extended with data) that synchronize on joint labels. 

Definition 1 (BIP System): We define a (simple BIP) system as a tuple S ~ (C, S,7^), where 

• E is a finite set of events or interaction labels, called interaction alphabet, 

• C = Ui'ii ^i is ^ finite set of components. Each component Ci is a transition system extended with data. Formally, 
C, is a tuple (L„F„S„r„ZO,ef'): 

- Li = {/ij, . . . , Zi^} is a finite set of control locations. 

- Vi — {vi^ , . . . ,Vi } is a finite set of (local) variables with a finite domain. Wlog we assume that the domain 
is the Boolean domain B = {True, False}. We use \Vi\ to denote the number of variables used in Ci. An 
evaluation (or assignment) of the variables in Vi is a functions e : V^i — > B mapping every variable to a value 
in the domain. We use £{Vi) to denote the set of all evaluations over the variables Vi. Given a Boolean formula 
/ e B{Vi) over the variables in Vi and an evaluation e e £{Vi), we use /(e) to refer to the truth value of / 
under the evaluation e. 

- Si C I] is a subset of interaction labels used in Ci. 

- Ti is the set of transitions. A transition ti e Ti is of the form (^, g, cr, /, /'), where ^, /' e Li are the source and 
destination location, g G B{Vi) is called the guard and is a Boolean formula over the variables Vi. cr e S^ is 
an interaction label (specifying the event triggering the transition), and / : V^ — > B{Vi) is the update function 
mapping every variable to a Boolean formula encoding the change of its value. 

- li E Li is the initial location and e" E £{Vi) is the initial evaluation of the variables. 

• P is a finite set of interaction pairs (called priorities) defining a relation ^ C E x E between the interaction 
labels. We require that -< is (1) transitive and (2) non-reflexive (i.e., there are no circular dependencies) ifTSl . For 
(ci, 0-2) € "P", we sometimes write ci -< (72 to highlight the property of priority. 

Definition 2 (Configuration): Given a system S, a configuration (or state) c is a tuple (^1, ei, . . . , /„, e„i) with li E Li 
and Ci E £{Vi) for all i € {!,..., m}. We use Cg to denote the set of all reachable configurations. The configuration 
(Zj, e", . . . , /J^, e^) is called the initial configuration of S and is denoted by c". 

Definition 3 (Enabled Interactions): Given a system S and a configuration c = {li,ei, . . . ,lm,em), we say an 
interaction ct e E is enabled (in c), if the following conditions hold: 

1) (Joint participation) Vi E {1, . . . , m}, if cr G S^, then 3gi, fi, l[ such that {li,gi,a, fi, I'i) E Ti and gi{ei) = True. 

2) (No higher priorities enabled) For all other interaction ct G S satisfying joint participation (i.e., Vz E {!,..., m}, 
if CT G Si, then 3{li, gi,a, fij'i) E Ti such that gi{ei) = True), {a, a) ^V holds. 

Definition 4 (Behavior): Given a system S, two configurations c — (/i, ei, . . . , /„, e„i), c' = (l\^ e'^, . . . , Z^, eJ^J, 
and an interaction cr G S enabled in c, we say c' is a a-successor (configuration) of c, denoted c — > c', if the following 
two conditions hold for all components Ci — {Li, Vi, Si, Ti, li, e^): 

• (Update for participated components) If cr G Si, then there exists a transition {li,gi,a, fi,l'i) E Ti such that 
3i(ei) = True and for all variables v E Vi, e\ = fi{v){ei). 

• (Stutter for idle components) Otherwise, I'i — li and e'i = Ci. 

Given two configurations c and c', we say c' is reachable from c with the interaction sequence w = cri . . . cr^ , 
denoted c — > c', if there exist configurations cq, . . . ,Ck such that (i) cq = c, (ii) c^ = c', and (iii) for all i : < i < fc, 
Ci '^S Ci+i. We denote the set of all configuration of S reachable from the initial configuration c" by TZg. The 
language of a system S, denoted C{S), is the set {w G S* | 3c' G TZs such that c" — > c'}. Note that C{S) describes 
the behavior of S, starting from the initial configuration c*'. 
In this paper, we adapt the following simplifications: 

• We do not consider uncontrollable events (of the environment), since the BIP language is currently not supporting 
them. However, our framework would allow us to do so. More precisely, we solve priority synthesis using a game- 
theoretic version of controller synthesis ll22l . in which uncontrollability can be modeled. Furthermore, since we 
consider only safety properties, our algorithms can be easily adapted to handle uncontrollable events. 

• We do not consider data transfer during the interaction, as it is merely syntactic rewriting over variables between 
different components. 

^http://www-verimag.imag.fr/Rigorous-Design-of-Component-Based.html?lang=en 



B. Priority Synthesis for Safety and Deadlock Freedom 

Definition 5 (Risk-Configuration/Deadlock Safety): Given a system S — (C, Sj'P) and the set of risk configuration 
Crisk C Cs (also called bad states), the system is safe if the following conditions hold. (A system that is not safe is 
called unsafe.) 

. (Deadlock-free) Vc e 7^5, Ba e E, 3c' e 7^5 : c A c' 

. (Risk-state-free) Crisk fMls ^%- 

Definition 6 (Priority Synthesis): Given a system S = {C, S, V), and the set of risk configuration Crisk ^ Cg, priority 
synthesis searches for a set of priorities V^ such that 

• For V U 7^+, the defined relation ^■puv+ C S x E is also (1) transitive and (2) non-reflexive. 
. (C,E,PUP+) is safe. 

Given a system S, we define the size of S as the size of the product graph induced by S, i.e, \Tls\ + |E|. Then, we 
have the following result. 

Theorem 1 (Hardness of priority synthesis flTf): Given a system S = (C, EjT'), finding a set V^ of priorities such 
that (C, E, T' U 7^+) is safe is NP-complete in the size of S. 

We briefly mention the definition of behavioral safety, which is a powerful notion to capture erroneous behavioral- 
patterns for the system under design. 

Definition 7 (Behavioral Safety): Given a system S = (C, E,7^) and a regular language £-,p C E* called the risk 
specification, the system is B-safe if C{S) n C^p = 0. A system that is not B-safe is called B-unsafe. 

It is well-known that the problem of asking for behavioral safety can be reduced to the problem of risk-state freeness. 
More precisely, since C^p can be represented by a finite automaton A^p (the monitor), priority synthesis for behavioral 
safety can be reduced to priority synthesis in the synchronous product of the system S and A^p with the goal to avoid 
any product state that has a final state of A^p in the second component. 

III. A Framework of Priority Synthesis based on Fault-Localization and Fault-Repair 

In this section, we describe our symbolic encoding scheme, followed by presenting our priority synthesis mechanism 
using a fault-localization and repair approach. 

A. System Encoding 

Our symbolic encoding is inspired by the execution semantics of the BIP engine, which during execution, selects one 
of the enabled interactions and executes the interaction. In our engine, we mimic the process and create a two-stage 
transition: For each iteration, 

• (Stage 0) The environment raises all enabled interactions. 

• (Stage 1) Based on the raised interactions, the controller selects one enabled interaction (if there exists one) while 
respecting the priority, and updates the state based on the enabled interaction. 

Given a system S = (C, E, V), we use the following sets of Boolean variables to encode S: 

• {stg, stg'} is the stage indicator and its primed version. 

• Ucresl"'' '^'} ^s the variables representing interactions and their primed version. We use the same letter for an 
interaction and the corresponding variable, because there is a one-to-one correspondence between them. 

• Uj=i...m ^« U Y-, where Yi = {j/ji, . . . , yik} and Y{ = {y'^^^, ... , y'-^} are the variables and their primed version, 
respectively, used to encode the locations Li. (We use a binary encoding, i.e., k = [ZogjLil]). Given a location 
/ G Li, we use enc{l) and enc'{l) to refer to the encoding of / using Yi and F/, respectively. 

• Ui=i m Uuey {^i ^'} ^1"^ '^he variables of the components and their primed version. 



Algorithm 1: Generate Stage-0 transitions 



input : System S ^ {C,J:,V) 

output: Stage-0 transition predicate Tstageo 

begin 

for CT e S do 

I let predicate P„ := True 

for CT e S do 

for i — {1,. . . ,m\ do 
^ if fx G E, then P„ := P, A \J (i^g^„j^i,)^T, 



enc{l) A g) 



let predicate Tstageo '■= ^^9 A ^stg' 
for CT e S do 

|_ I stageo •= J- stageg A ((7 O Pa) 

for j = {1, . . . ,m} do 

[_ Tstageo ■= Tstageo ^ AyeY. V ^ V' ^ AvEV, ^ ^ v' 

return Ttageo 



Algorithm 2: Generate Stage- 1 transitions 



input : System S = iC,T,,V) 

output: Stage- 1 transition predicate Ttagei 

begin 

let predicate Ttagei ■= False 
for (T e S do 

let predicate T^ := -^stg A stg' 
for i = {I, . . . ,m} do 
if fj e Ei then 
I Ta :- Ta A V(,,<,,.,/,/')eT. (e«c(/) A 5 A a A a' A enc'(r) A A.^y. «' ^ /(^')) 



for ct' e I],ct' T^cr do 
L T„ :=r^ Act' = False 

for i = {1, . . . ,m} do 

^ if (T ^ E, then T, := T, A A^ey. ij ^ 2/' A A„ev, « ^ ^'' 

' stage-i • ' stage-i v J fj 

for CTi ^ (72 G "^ do 

|_ Ttagei '— Tstagei A ((cti A (T2) — > ^(Ti') 

return Ttagei 



We use Algorithm [T] and I2] to create transition predicates Ttageo '^^'^ Ttagei for Stage and 1, respectively. Note 
that Ttageo ^'^'^ Tstagei Can be merged but we keep them separately, in order to (1) have an easy and direct way to 
synthesize priorities, (2) allow expressing the freedom of the environment, and (3) follow the semantics of the BIP 
engine. 

• In Algorithm [T] Line 2 computes for each interaction a the predicate P^ representing all the configurations in 
which a is enabled in the current configuration. In Line 3, starting from the first interaction, Ttageo i^ continuously 
refined by conjoining cr' -(-> P^ for each interaction a, i.e., the variables a' is true if and only if the interaction a 
is enabled. Finally, Line 4 ensures that the system configuration does not change in stage 0. 

• In Algorithmic] Line 1, 2, 3 are used to create the transition in which interaction a is executed (Line 2 ensures that 
only a is executed; Line 3 ensures the stuttering move of unparticipated components). Given a priority tJi -< a2, 
in configurations in which cti and (T2 are both enabled (i.e., tJi A CT2 holds), the conjunction with Line 4 removes 
the possibility to execute ai when cr2 is also available. 




Figure 1. Locating fix candidates. 



B. Step A. Finding Fix Candidates using Fault-localization 

Synthesizing a set of priorities to make the system safe can be done in various ways, and we use Figure [Tito illustrate 
our underlying idea. Consider a system starting from state ci. It has two risk configurations cg and cj. In order to avoid 
risk using priorities, one method is to work on the initial configuration, i.e., to use the set of priorities {e -< a, d -< a}. 
Nevertheless, it can be observed that the synthesized result is not very desirable, as the behavior of the system has been 
greatly restricted. 

Alternatively, our methodology works backwards from the set of risk states and finds states which is able to escape 
from risk. In Figure [T] as states C3, C4, C5 unavoidably enter a risk state, they are within the risk-attractor (A\Xr{Crisk))- 
For state C2, cg, and cg, there exists an interaction which avoids risk. Thus, if a set of priorities V^ can ensure that from 
C2, Cg, and Cg, the system can not enter the attractor, then V^ is the result of synthesis. Furthermore, as cg is not within 
the set of reachable states from the initial configuration (Reach ({ci}) in Figure [III, then it can be eliminated without 
consideration. We call {c2, cg} a fault-set, meaning that an erroneous interaction can be taken to reach the risk-attractor 

Under our formulation, we can directly utilize the result of algorithmic game solving 1161 to compute the fault-set. 
Algorithm[3]explains the underlying computation: For conciseness, we use 3S (3S') to represent existential quantification 
over all umprimed (primed) variables used in the system encoding. Also, we use the operator SUBS(X, S, S') for variable 
swap (substitution) from unprimed to primed variables in X: the SUBS operator is common in most BDD packages. 

• In the beginning, we create Pi„, for initial configuration, Pdead for deadlock (no interaction is enabled), and Prist 
for risk configurations. 

• In Part A, adding a stage-0 configuration can be computed similar to adding the environment state in a safety game. 
In a safety game, for an environment configuration to be added, there exists a transition which leads to the attractor 

• In Part A, adding a stage- 1 configuration follows the intuition described earlier In a safety game, for a control 
configuration c to be added, all outgoing transitions of c should lead to the attractor This is captured by the set 
difference operation PointTo\ Escape in Line 5. 

• In Part B, Line 7 creates the transition predicate entering the attractor. Line 8 creates predicate OutsideAttr 
representing the set of stage-1 configuration outside the attractor. In Line 9, by conjuncting with OutsideAttr 
we ensure that the algorithm does not return a transition within the attractor. 

• Part C removes transitions whose source is not within the set of reachable states. 



Algorithm 3: Fault-localization 



input : System S ^ (C, E,P), Tstageg, Tstaga 

output: Tf C Tstagei ^s the set of stage- 1 transitions starting from the fault-set but entering the risk attractor 
begin 

let P„, := stg A A.=i...™(enc(/0) A A.^y. « ^ e°{v)) 

let Pdead ■= -^stg A Acres ^^ 

let Prisk := -si5 A V(/i,ei....,;„,e„)ec„,fc {enc{h) A A^gy^ w ^ ei(w) A . . . enc(l™) A A^ey„ « ^ e™(i;)) 

// Part A: solve safety game 

let Attrpre := Pdead V Prisk, Attrpost := False 

while True do 

// add stage-0 (environment) configurations 

Attrpo.t^o := 3S' : (Tl-tageo A SUBS((3S' : Attr^^), S, S')) 

// add stage-1 (system) configurations 

let PointTo := 3S' : (Tstagei A SUBS((3S' : Attrp^e),S,S')) 

let Escape := 3S' : (Tstagei A SUBS((3S' : ^Attrp^e),S,S')) 

Attrpost.i •= PointTo \ Escape 

Attrpost := Attrpre V Attrposf.o V Attrpost,! // Union the result 

if Affrpre ■^ '^ffrpost then break // Break when the image saturates 
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else Attip^e : — Attrp^st 

// Part B: extract 7/ 

PointTo := Ttagei A SUBS((3S' : Attrp^e), S, S')) 

OutsideAttr := ^Atti^e A (3S' : Ttagei ) 

7/ := PointTo A OutsideAttr 

// Part C: eliminate unused transition using reachable states 
let reachp„ := T,„i, reachpost := False 
while True do 

reachpost := reachp„ V SUBS(3S : (reachp^e A (Ttageo V TtageJ), S', S) 

if reachpre <-> reachpost then break // Break when the image saturates 

else reachpre := reachpost 
return 7/ A reachpost 



C. Step B. Priority Synthesis via Conflict Resolution - from Stateful to Stateless 

Due to our system encoding, in Algorithm [3] the return value 7/ contains not only the risk interaction but also all 
possible interactions simultaneously available. Recall Figure [Tl 7/ returns three transitions, and we can extract priority 
candidates from each transition. 

• On C2, a enters the risk-attractor, while b,g,c are also available. We have the following candidates {a ^ b,a ^ 
g,a^ c}. 

• On C2, g enters the risk-attractor, while a,b,c are also available. We have the following candidates {g ^ b,g ^ 
c,g^af\ 

• On cg, b enters the risk-attractor, while a is also available. We have the following candidate b ^ a. 

From these candidates, we can perform conflict resolution and generate a set of priorities that ensures avoiding 
the attractor. For example, {a -< c, g ^ a, 6 -< a} is a set of satisfying priorities to ensure safety. Note that the set 
{a ^ b,g ^ b,b ^ a} is not a legal priority set, because it creates circular dependencies. In our implementation, conflict 
resolution is performed using SAT solvers: In the SAT problem, any priority ci -< (T2 is presented as a Boolean variable 
ci -< 172, which can be set to True or False. If the generated SAT problem is satisfiable, for all variables ai -< 0-2 
which is evaluated to True, we add priority cti -< (J2 to V+. The synthesis engine creates four types of clauses. 

1) [Priority candidates] For each edge t E Tf which enters the risk attractor using a and having cti, . . . , Ce available 
actions (excluding a), create clause (Vi=i e ''^ ^ ''^^Fl 

2) [Existing priorities] For each priority a < a' eV, create clause { a -< a' ). 

^^Notice that at least one candidate is a true candidate for risk-escape. Otherwise, during the attractor computation, C2 will be included within the 
attractor. 

'^In implementation, Algorithm Isl works symbolically on BDDs and proceeds on cubes of the risk-edges (a cube contains a set of states having the 
same enabled interactions and the same risk interaction), hence it avoids enumerating edges state-by-state. 



Figure 2. A simple scenario wliere conflicts are unavoidable on the fault-set. 

3) [Non-reflective] For each interaction a used in (1) and (2), create clause (^ cr < cr ). 

4) [Transitive] For any three interactions o'i,cr2,cr3 used in (1) and (2), create clause {{a\ < a-i l\ a^ < oz) => 

When the problem is satisfiable, we only output the set of priorities within the priority candidates (as non-reflective and 
transitive clauses are inferred properties). Admittedly, here we still solve an NP -complete problem. Nevertheless, 

• The number of interactions involved in the fault-set can be much smaller than E. 

• As the translation does not involve complicated encoding, we observe from our experiment that solving the SAT 
problem does not occupy a large portion (less than 20% for all benchmarks) of the total execution time. 

D. Optimization 

Currently, we use the following optimization techniques compared to the preliminary implementation of lITOl . 



1) Handling unsatisfiability: In the resolution scheme in Section III-C when the generated SAT problem is unsatisfi- 
able, we can redo the process by moving some states in the fault-set to the attractor. This procedure is implemented by 
selecting a subset of priority candidates and annotate to the original system. We call this process priority-repushing. E.g., 
consider the system S = (C, S, V) in Figure [2] The fault-set {ci, C2} is unable to resolve the conflict: For ci the priority 
candidate is a ^ 6, and for C2 the priority candidate is 6 ^ a. When we redo the analysis with S = (C, S, T' U {a -< b}), 
this time C2 will be in the attractor, as now C2 must respect the priority and is unable to escape using a. Currently in 
our implementation, we supports the repushing under fixed depth to increase the possibility of finding a fix. 

2) Initial Variable Ordering: Modified FORCE Heuristics: As we use BDDs to compute the risk-attractor, a good 
initial variable ordering can greatly influence the total required time solving the game. Although finding an optimal 
initial variable ordering is known to be NP-complete ll23l . many heuristics can be applied to find a good yet non-optimal 
orderinaj The basic idea of these heuristics is to group variables close if they participate in the same transition |13|; 
experiences have shown that this creates a BDD diagram of smaller size. Thus our goal is to find a heuristic algorithm 
which can be computed efficiently while creates a good ordering. 

We adapt the concept in the FORCE heuristic [2]. Although the purpose of the FORCE heuristic is to work on SAT 
problems, we find the concept very beneficial in our problem setting. We explain the concept of FORCE based on the 
example in ||2l, and refer interested readers to the paper ||2l for full details. 

Given a CNF formula C — ci A C2 A C3, where ci = (a V c), C2 = (a V d), C3 — (& V d). 

• Consider a variable ordering (a, b, c, d). For this ordering, we try to evaluate it by considering the sum of the span. 
A span is the maximum distance between any two variables within the same clause. For ci, under the ordering the 
span equals 2; for C2 the span equals 3, and the sum of the span equals 7. 

• Consider another variable ordering (c, a, d, b). Then the sum of span equals 3. Thus we consider that (c, a, d, b) is 
superior than (a, 6, c, d). 

• The purpose of the FORCE heuristic is to reduce the sum of such span. In the CNF example, the name of the 
heuristics suggests that a conceptual force representing each clause is grouping variables used within the clause. 

Back to priority synthesis, consider the set of components Ur=i ^« together with interaction labels S. We may similarly 
compute the sum of all spans, where now a span is the maximum distance between any two components participating the 
same interaction cr G E. Precisely, we analogize clauses and variables in the original FORCE heuristic with interaction 
symbols and components. Therefore, we regard the FORCE heuristics equally applicable to create a better initial variable 
ordering for priority synthesis. 
[Algorithm Sketch] Our modified FORCE heuristics is as follows. 

1) Create an initial order of vertices composed from a set of components IJ"^]^ Ci and interactions cr G E. Here 
we allow the user to provide an initial variable ordering, such that the FORCE heuristic can be applied more 
efficiently. 

'Also, dynamic variable ordering, a technique which changes the variable ordering at run-time, can be beneficial when no good variable ordering 
is known 1131 



2) Repeat for limited time or until the span stops decreasing: 

• Create an empty list. 

• For each interaction label a G 'S, derive its center of gravity COG{cr) by computing the average position of 
all participated components. Use the average position as its value. Add the interaction with the value to the 
list. _ 

Y, es COG(a) 

» For each component Ci, compute its value by — - — '"T^', . Add the component with the value to the 

list. 

• Sort the list based on the value. The resulting list is considered as a new variable ordering. Compute the new 
span and compare with the span from the previous ordering. 

3) Dense variable encoding: The encoding in Section III- A is dense compared to the encoding in ifTOll . In ifTOl . for 



each component Ci participating interaction a, one separate variable ai is used. Then a joint action is done by an AND 
operation over all variables, i.e., /\^ ai. This eases the construction process but makes BDD-based game solving very 
inefficient: For a system S, let S^sei C S be the set of interactions where only one component participates within. 
Then the encoding in ifTOl uses at least 2|E \ S„sei| more BDD variables than the dense encoding. 

4) Safety Engine Speedup: Lastly, as our created game graph is bipartite. Algorithm l3] can be refined to work on two 
separate images of stage-0 and stage- 1, such that line 2 and line {3,4} are executed in alternation. 

IV. Handling Complexities 

In verification, it is standard to use abstraction and modularity to reduce the complexity of the analyzed systems. 
Abstraction is also useful in synthesis. However, note that if an abstract system is deadlock-free, it does not imply that the 
concrete system is as well. E.g., in Figure l3] the system composed by Ci and C2 contains deadlock (if both interactions 
a and h are required to be paired for execution). However, when we over- approximate Ci to an abstract system Cf, a 
system composed by Cf and C2 is deadlock free. On the other hand, deadlock-freeness of an under-approximation also 
does not imply deadlock-freeness of a concrete system. An obvious example can be obtained by under-approximating 
the system Ci in Figure pi to an abstract system Cf . Again, the composition of Cf and C2 is deadlock- free, while the 
concrete system is not. Therefore, it is challenging to find a suitable abstract system such that the abstract system is 
deadlock-free implying that the concrete system is also deadlock-free. 
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Figure 3. A scenaiio where the concrete system contains deadlock, but the abstract system is deadlock free. 

In the following, we propose three techniques. 

A. Data abstraction 

Data abstraction techniques presented in the previous work f7l| and implemented in the D-Finder tool kit fSl are 
deadlock preserving, i.e., synthesizing the abstract system to be deadlock free ensures that the concrete system is also 
deadlock free. Basically, the method works on an abstract system composed by components abstracted component-wise 
from concrete components. For example, if an abstraction preserves all control variables (i.e., all control variables are 
mapped by identity) and the mapping between the concrete and abstract system is precise with respect to all guards and 
updates (for control variables) on all transitions, then it is deadlock preserving. For further details, we refer interested 
readers to Q, H- 

B. Alphabet abstraction 

Second, we present alphabet abstraction, targeting to synthesize priorities to avoid deadlock (but also applicable for 
risk-freeness with extensions). The underlying intuition is to abstract concrete behavior of components out of concern. 

Definition 8 (Alphabet Transformer): Given a set S of interaction alphabet. Let S]$ C S be abstract alphabet. Define 
a : E — )■ (E \ E$) U {jj} as the alphabet transformer, such that for ct G E, 

. If cr e E$, then a{(7) := (J. 

• Otherwise, a{a) := a. 

Definition 9 (Alphabet Abstraction: Syntax): Given a system S = {C,Yi,V) and abstract alphabet E$ C E, define 
the tJ-abstract system 5$ to be (C$, (E \ E$) U {tt},?^*), where 

• C$ = Ui=i rn^^*' where Ci^ = {Li,V.i,Y.i,i,,Ti^,l^ ,e^^) changes from Q by syntactically replacing every 
occurrence of cr e E^ to a{a). 

» V = Uj=i k'^i ^ '^'i changes to 7^$ — [J^^i f. a{<Ji) -< a(cr,9, and the relation defined by 7^$ should be transitive 
and nonreflexive. 
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Figure 4. A system S and its tJ-abstract system 5$, wliere E$ = S \ {a, 6, c}. 



The definition for a configuration (state) of a jj-abstract system follows Definition 2. Denote the set of all configuration 
of 5$ reachable from cq as Cg^. The update of configuration for an interaction ct G S \ S$ follows Definition 3. The 
only difference is within the semantics of the (t-interaction. 

Definition 10 (Alphabet Abstraction: Semantics for '^-interaction): Given a configuration c = (/i, Vi, . . . , ?„, v^), the 
jj-interaction is enabled if the following conditions hold. 

1) (> 1 participants) Exists i G {1, . . . , m} where jj e Si$, 3ii = (^i, g^, (j, /;, ^^) e Ti* such that g(wi) = True. 

2) (No higher priorities enabled) There exists no other interaction a\, E S, (11,(7^) £ Vij, such that Vi G {1, . . . ,m} 
where cr^ e S^, Bt^, = {li,gi[,,(Jii,, UJ'-) € T^, g,],{vi) = True. 

Then for a configuration c = (Zi, ui, ...,/„, «„), the configuration after taking an enabled [(-interaction changes to 
c = (li, Vi, . . . , lj^,Vjyi): 

• (May-update for participated components) If ft € S^, then for transition ti — {li,gi,jjt, fi,l^) e Ti$ such that 
9i{vi) = True, either 

1) I', - l[, vl = Mv,), or 

2) Z,^ = Z„ z;,^ = t-,. 

Furthermore, at least one component updates (i.e., select option 1). 

• (Stutter for unparticipated components) If ft ^ E^, Zj = Z^, w- = Vi. 

Lastly, the behavior of a jj-abstract system follows Definition 4. In summary, the above definitions indicate that in a 
tt-abstract system, any local transitions having alphabet symbols within E$ can be executed in isolation or jointly. Thus, 
we have the following result. 

Lemma 1: Given a system S and its jj-abstract system 5$, define TZs CR-s^) be the reachable states of system S 
(corresponding jj-abstract system) from from the initial configuration c''. Then T?.^ C TZs^. 
Proof: Result from the comparison between Definition [3] and 10 



As alphabet abstraction looses the execution condition by overlooking paired interactions, a jj-abstract system is 
deadlock-free does not imply that the concrete system is deadlock free. E.g., consider a system S' composed only by 
C2 and C3 in Figure |4] When <1> = S \ {b}, its jj-abstract system S'^ is shown below. In S', when C2 is at location 
I21 and C3 is at location ^31, interaction e and / are disabled, meaning that there exists a deadlock from the initial 
configuration. Nevertheless, in S'^, as the fl-interaction is always enabled, it is deadlock free. 

In the following, we strengthen the deadlock condition by the notion of jj-deadlock. Intuitively, a configuration is 
^-deadlocked, if it is deadlocked, or the only interaction available is the (J-interaction. 

Definition 11 (^-deadlock): Given a jj-abstract system 5$, a configuration c G C^^ is tt-deadlocked, if $(t E S\S$, c' G 
Cs^ such that c —> c'. 

In other words, a configuration c of 5$ is jj-deadlocked implies that all interactions labeled with E \ E$ are disabled at 
c. 

Lemma 2: Given a system S and its jj-abstract system 5$, define T) as the set of deadlock states reachable from the 
initial state in S, and 2?" as the set of jj-deadlock states reachable from the initial state in 5$. Then V (-T>K 
Proof: Consider a deadlock state c G V. 

1) Based on Lemma [Tl c is also in TZg^- 

2) In 5, as c G V, all interactions are disabled in c. Then correspondingly in 5$, for state c, any interaction a G S\S$ 
is also disabled. Therefore, c is jj-deadlocked. 

Based on 1 and 2, c G VK Thus V CVK ■ 

Theorem 2: Given a system S and its jj-abstract system 5$, if 5$ is jj-deadlock-free, then S is deadlock-free. 
Proof: As 5$ is jj-deadlock-free, we have TZs^ n I?'* = 0. According to Lemma IT] and we have TZs Q T?.^^ and 
V CVK Hence UsHV = $, implying that S is deadlock-free. ■ 



(Algorithmic issues) Based on the above results, the use of alphabet abstraction and the notion of jj-deadlock offers a 
methodology for priority synthesis working on abstraction. Detailed steps are presented as follows. 

1) Given a system S, create its (J-abstract system Sg, by a user-defined I]$ C S. In our implementation, we let users 
select a subset of components Cg-^ , ■ ■ ■ , Cg^ G C, and generate I]$ = S \ (S^i U . . . U S^j.). 

• E.g., consider system S in Figure HI and its jj-abstract system 5$. The abstraction is done by looking at Ci 
and maintaining Ei = {a,b,c}. 

• When a system contains no variables, the algorithm proceeds by eliminateing components whose interaction 
are completely in the abstract alphabet. In Figure H as for i = {3 . . . m}, 1],$ = {jj}, it is sufficient to 
eliminate all of them during the system encoding process. 

2) If 5$ contains fl-deadlock states, we could obtain a jj-deadlock-free system by synthesizing a set of priorities V^, 



where the defined relation -<+C ((S \ I],^) U {jj}) x (E \ I]$) using techniques presented in Section III 

• In the system encoding, the predicate P^dead for (|-deadlock is defined as stg = FalseA/\^gj,> j, a — False. 

• If the synthesized priority is having the form ji ^ cr, then translate it into a set of priorities UcT'es '^' ^ '^■ 

V. ASSUME-GUARANTEE BASED PRIORITY SYNTHESIS 

We use an assume-guarantee based compositional synthesis algorithm for behavior safety. Given a system S = 
(Ci U C2,E,7') and a risk specification described by a deterministic finite state automaton R, where C{R) C E*. We 
use \S\ to denote the size of S and \R\ to denote the number of states of R. The synthesis task is to find a set of priority 
rules V^ such that adding V^ to the system S can make it B-Safe with respect to the risk specification C{R). This can 
be done using an assume-guarantee rule that we will describe in the next paragraph. 

We first define some notations needed for the rule. The system S+ — (Ci U C2,E,7' U 7^+) is obtained by adding 
priority rules V+ to the system S. We use Si = {Ci,^.,!^ n E x Ei) and ^2 = (C2,E,7' n E x E2) to denote 
two sub-systems of S. We further partition the alphabet E into three parts E12, Ei, and E2, where E12 is the set of 
interactions appear both in the sets of components Ci and C2 (in words, the shared alphabet of Ci and C2), E^ is 
the set of interactions appear only in the set of components Ci (in words, the local alphabet of Ci) for i = 1,2. Also, 
we require that the decomposition of the system must satisfy that T' C E x (Ei U E2), which means that we do not 
allow a shared interaction to have a higher priority than any other interaction. This is required for the soundness proof 
of the assume-guarantee rule, as we also explained later that we will immediately lose soundness by relaxing this 
restriction. For i = 1, 2, the system Si+ = {Ci U {di}, E, (T' n E x E^) U Vt) is obtained by (1) adding priority rules 
T'i C E X Ei to Si and, (2) in order to simulate stuttering transitions, adding a component di that contains only one 
location with self-loop transitions labeled with symbols in E3_j (the local alphabet of the other set of components). 
Then the following assume-guarantee rule can be used to decompose the synthesis task into two smaller sub-tasks: 

C{Si+) n C{R) n CiA) = (a) 

c{S2+)nc(A) = (b) 

CiS+)nC{R) = (c) 

The above assume-guarantee rule says that 5+ is B-Safe with respect to C{R) iff there exists an assumption automaton 
A such that (1) 5i+ is B-Safe with respect to £{R) H £{A) and (2) ^2+ is B-Safe with respect to C{A), where A is the 
complement of A, V+ = T^i U7'2 and no conflict in Vi and V2- In the following, we prove the above assume-guarantee 
rule is both sound and complete. Nevertheless, it is unsound for deadlock freeness. An example can be found at the 



beginning of Section IV 



Theorem 3 (Soundness): Let Vi and 1^2 be two non-conflicting priority rules, A be the assumption automaton, R be 
the risk specification automaton, 5i+ = (CiU{di}, E, (T'nE x Ei)U7'i), and ^2+ = (C2U{d2}, S, (T'nE x E2)U7'2), 
where 7^^ C E x Ej for i = 1, 2 and 7^ C E x (Ei U E2). If C{Si+) f] C{R) f] C{A) = and £(52+) n C(A) = 0. The 
priority rule Vi U 7^2 ensures that the system S = (Ci U C2, E, V) is B-Safe with respect to R. 

Proof: First, from C{Si+) n C{R) n C{A) = and £(^2+) n C{A) = 0, we can obtain the relation between 
those languages described in Figure Is] From the figure, one can see that the two languages £(5i+) n C{R) and 
C{S2+) are disjoint. This foflows that C{Si+) n C{R) D C{S2+) = 0. By Lemma |3] we have C{S+) n C{R) C 
C{Si+) n £{S2+) n C{R) ~ 0. Hence the set of priorities Vi U 7^2 ensures that S is B-Safe with respect to R. ■ 

Lemma 3 (Composition): Let 5i = (CiU{di}, E,7'i), and ^2 = (C2U{d2}, E,7'2), and5i+2 = (C1UC2, E,7'iU7'2) 
be three systems, where 7^^ C E x E^ for z = 1, 2. We have £(5i+2) ^ £('^1) n C{S2)- 

Proof: For a word w — ai, . . . ,cr„ G £(5i+2), we consider inductively from the first interaction. If ai is enabled 
in the initial configuration (li,vi, . . . , In, Vn, ■ ■ ■ Im, Vm) of S1+2, then according to Definition [3] we have (1) if ai is 
in the interaction alphabet of component q € Ci U C2, then there exist a transition {li,gi,ai, fi,l[) in Ci such that 
gi{vi) — True and (2) there exists no transition {li,gi,a' , fi,l'i) in components of Ci and C2 such that gi{vi) = True 
and (cri,cr') G 7'iU7'2- 




Figure 5. The relation between the languages. 
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Figure 6. A counterexample when we allow a shared interaction to have higher prioiity than others. 



We want to show that ai is also enabled in the initial configuration of Si. In order to do this, we have to prove (1) 
components in Ci U {di} can move with ai and (2) there exists no transition {li,gi,a' , fi,l'^ in C\ U {di} such that 
giivi) ~ True, k is an initial location, and {cri,a') £ Vi- 

• For (1), we consider the following cases: (a) If cti £ E12, components of Ci can move with cri and di can move 
with fji via a self-loop transition, (b) If <ti G Si, components of Ci can move with cri and it is not an interaction 
of rfi- (c) If (Ti e S2, it is not an interaction of Ci and di can move with cti via a self-loop transition. Therefore, 
components in Ci U {di} can move with cti. 

• For (2), first, it is not possible to have such a transition in any component of Ci by the definition of S1+2 and 
Definition [3] Then, if the transition is in di, we have a' £ E2 and it follows that (it, cr') ^ T'l C E x Si. 

By the above arguments for (1) and (2), cti is enabled in the initial configuration of Si. By a similar argument, ci 
is also enabled in the initial configuration of ^2. 

The inductive step can be proved using the same argument. Thus w £ C{Si) and w £ C{S2). It follows that 
C{Si+2)cC{Si)nC{S2). m 

Theorem 4 (Completeness): Let S+ — {C^ll^'P U 7-"+) be a system and R be the risk specification automaton. If 
£(5+)n£(i?) — 0, then there exists an assumption automaton A, system components Ci and C2 such that C = C1UC2, 
Ci n C2 = 0, and two non-conflicting priority rules T'l C S x Ei and P2 C S x E2 such that C{Ci U {di}, E,?^ U 
Vi) n C{R) n C[A) = 0, £(C2 U {da}, S, 7^ U V2) n C(A) = 0, and 7^+ = T^i U V2. 

Proof: Can be proved by taking Ci = C, C2 = %, A as an automaton that recognizes E*, Vi = V+, and V2 = 0- 



Below we give an example that if we allow the priority V to be any relation between the interactions, then the 
assume-guarantee rule we used is unsound. The key is that Lemma [3] will no longer be valid with the relaxed constraints 
to the priority. In Figure l6] both Ci and C2 has only one components, Ei = 0, E2 = {c}, and E12 = {a,b}. Assume 
that we have the priority rule V — {b ^ a} in Si, S2, and S. Then we get C{Si) — {a}, C{S2) = {b + ca}, which 
implies C{Si) n C{S2) — 0- However, C{S) = {b}. Then we found a counterexample for Lemma [3] This produces a 
counterexample of the soundness of the assume-guarantee rule. With a risk specification C{R) — {b}, an assumption 
automaton C{A) = E*, and priorities V = Vi = 1^2 — {b ^ a}, the subtasks of the assume-guarantee rule can be proved 
to be B-Safe. However, the system S is not B-Safe with respect to C{R). The reason why E12 can not be placed on 
the right-hand side of V, Vi, and V2 is because even in the subsystem a shared interaction can block other interactions 
successfully, when composing two systems together, it may no longer block other interactions (as now they need to be 
paired). 

Notice that (1) the complexity of a synthesis task is NP-complete in the number of states in the risk specification 
automaton product with the size of the system and (2) \S\ is approximately equals to |5i| x \S2y\ Consider the case 

^This is true only if the size of the alphabet is much smaller than the number of reachable configurations. 
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Figure 7. The flow of the assume-guarantee priority synthesis. 



that one decomposes the synthesis task of S with respect to C{R) into two subtasks using the above assume-guarantee 
rule. The complexity original synthesis task is NP-complete in \S\ x \R\ and the complexity of the two sub-tasks are 
|5i| X \R\ X 1^1 and |52| x \Ay\ respectively. Therefore, if one managed to find a small assumption automaton A for 
the assume-guarantee rule, the complexity of synthesis can be greatly reduced. We propose to use the machine learning 
algorithm L* O to automatically find a small automaton that is suitable for compositional synthesis. Next, we will first 
briefly describe the L* algorithm and then explain how to use it for compositional synthesis. 

The L* algorithm works iteratively to find a minimal deterministic automaton recognizing a target regular language 
U . It assumes a teacher that answers two types of queries: (a) membership queries on a string w, where the teacher 
returns true if w is in [/ and false otherwise, (b) equivalence queries on an automaton A, where the teacher returns 
true if C{A) = U, otherwise it returns false together with a counterexample string in the difference of C{A) and U . 
In the i-th iteration of the algorithm, the L* algorithm acquires information of U by posing membership queries and 
guess a candidate automaton Ai. The correctness of the Ai is then verified using an equivalence query. If Ai is not a 
correct automaton (i.e., C{A) ^ U), the counterexample returned from the teacher will be used to refine the conjecture 
automaton of the (i + l)-th iteration. The learning algorithm is guaranteed to converge to the minimal deterministic 
finite state automaton of f7 in a polynomial number of iterations^ Also the sizes of conjecture automata increase strictly 
monotonically with respect to the number of iterations (i.e., |Ai+i| > \Ai\ for all i > 0). 

The flow of our compositional synthesis is in Figure [7] Our idea of compositional synthesis via learning is the 
following. We use the notations S^ to denote the system Si equipped with a stuttering component. First we use L* to 
learn the language €{82 )■ Since the transition system induced from the system S2 has finitely many states, one can 
see that €{82) is regular. For a membership query on a word w, our algorithm simulates it symbolically on ^2^ to 
see if it is in C{S2)- Once the L* algorithm poses an equivalence query on a deterministic finite automaton Ai, our 
algorithm tests conditions C{S^) n C{R) n C{Ai) — and €{82) H C{Ai) — one after another So far, our algorithm 
looks very similar to the compositional verification algorithm proposed in lfT4l . There are a few possible outcomes of 
the above test 

1) Both condition holds and we proved the system is B-Safe with respect to C{R) and no synthesis is needed. 

2) At least one of the two conditions does not hold. In such case, we try to synthesize priority rules to make the 
system B-Safe (see the details below). 

3) If the algorithm fails to find usable priority rules, we have two cases: 

a) The algorithm obtains a counterexample string ce in £{S^) n C{R) \ C{Ai) from the first condition. This 
case is more complicated. We have to further test if ce S £(5^). A negative answer implies that ce is in 
£{Ai)\£{S2)- This follows that ce can be used by L* to refine the next conjecture. Otherwise, our algorithm 
terminates and reports not able to synthesize priority rules. 

b) The algorithm obtains a counterexample string ce in £{82 ) \C{Ai) from the second condition, in such case, 
ce can be used by L* to refine the next conjecture. 

The deterministic finite state automata R, Ai, and also its complement Ai can be treated as components without data 



and can be easily encoded symbolically using the approach in Section III-A Also the two conditions can be tested using 
standard symbolic reachability algorithms. 

'since A is deterministic, the sizes of A and its complement A are identical. 

^In the size of the minimal deterministic finite state automaton of U and the longest counterexample returned from the teacher. 



Compositional Synthesis: Recall that our goal is to find a set of suitable priority rules via a small automaton Ai. 
Therefore, before using the ce to refine and obtain the next conjecture Ai+i, we first attempt to synthesis priority rules 
using Ai as the assumption automaton. Synthesis algorithms in previous sections can then be applied separately to the 
system composed of {S^, R, Ai\ and the system composed of {S2 , Ai\ to obtain two non-conflicting priority rules 
Vu C (El U 1:12) X El and V2i Q {^2 U E12) x E2. Then Vu U V2i is the desired priority for S to be B-Safe with 
respect to R. To be more specific, we first compute the CNF formulae /i and /2 (that encode all possible priority rules 
that are local, i.e., we remove all non-local priority candidates) of the two systems separately using the algorithms in 

The priority rules Vu and 7^21 



Section III and then check satisfiability of /i A /2. 
assignment of /i A /2. 



can be derived from the satisfying 



VI. Evaluation 
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We implemented the presented algorithms (except connection the data abstraction module in D-Finder |[81) in the 
ViSSBIFn tool and performed experiments to evaluate them. To observe how our algorithm scales, in Table Q^ we 
summarize results of synthesizing priorities for the dining philosophers problenr^ Our preliminary result in |10| fails 
to synthesize priorities when the number of philosophers is greater than 15 (i.e., a total of 30 components), while 
currently we are able to solve problems of 50 within reasonable time. By analyzing the bottleneck, we found that 50% 
of the execution time are used to construct clauses for transitive closure, which can be easily parallelized. Also the 
synthesized result (i) does not starve any philosopher and (ii) ensures that each philosopher only needs to observe his 
left and right philosopher, making the resulting priority very desirable. Contrarily, it is possible to select a subset of 
components and ask to synthesize priorities for deadlock freedom using alphabet abstraction. The execution time using 
alphabet abstraction depends on the number of selected components; in our case we select 4 components thus is executed 
extremely fast. Of course, the synthesized result is not very satisfactory, as it starves certain philosopher. Nevertheless, 
this is unavoidable when overlooking interactions done by other philosophers. Except the traditional dining philosophers 
problem, we have also evaluated on (i) a BIP model (5 components) for data processing in digital communication (DPU; 
See Appendix [a] for description) (i) a simplified protocol of automatic traffic control (Traffic). Our preliminary evaluation 
on compositional priority synthesis is in Appendix IB] 

VII. Related Work 

For deadlock detection, well-known model checking tools such as SPIN fTSl and NuSMV ^TT\ support deadlock de- 
tection by given certain formulas to specify the property. D-Finder [8J applies compositional and incremental methods to 
compute invariants for an over-approximation of reachable states to verify deadlock-freedom automatically. Nevertheless, 
all the above tools do not provide any deadlock avoidance strategies when real deadlocks are detected. 

Synthesizing priorities is subsumed by the framework of controller synthesis proposed by Ramadge and Wohnham ll22l . 
where the authors proposed an automata-theoretical approach to restrict the behavior of the system (the modeling of 
environment is also possible). Essentially, when the environment is modeled, the framework computes the risk attractor 
and creates a centralized controller Similar results using centralized control can be dated back from |5| to the recent 
work by Autili et al HI (the SYNTHESIS tool). Nevertheless, the centralized coordinator forms a major bottleneck 
for system execution. Transforming a centralized controller to distributed controllers is difficult, as within a centralized 
controller, the execution of a local interaction of a component might need to consider the configuration of all other 
components. 
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Figure 8. The framework of priority synthesis presented in this paper, where the connection with the D-Finder tool 1 8 1 is left for future work. 

Priorities, as they are stateless, can be distributed much easier for performance and concurrency. E.g., the synthesized 
result of dining philosophers problem indicates that each philosopher only needs to watch his left and right philosophers 
without considering all others. We can continue with known results from the work of Graf et al. iflTl to distribute 
priorities, or partition the set of priorities to multiple controllers under layered structure to increase concurrency (see 
work by Bonakdarpour et al. 1 9 1). Our algorithm can be viewed as a step forward from centralized controllers to distributed 
controllers, as architectural constraints (i.e., visibility of other components) can be encoded during the creation of priority 
candidates. Therefore, we consider the work of Abujarad et al.|r| closest to ours, where they proceeds by performing 
distributed synthesis (known to be undecidable 121 1) directly. In their model, they take into account the environment 
(which they refer it as faults), and consider handling deadlock states by either adding mechanisms to recover from them 
or preventing the system to reach it. It is difficult to compare two approaches directly, but we give hints concerning 
performance measure: (i) Our methodology and implementation works on game concept, so the complexity of introducing 
the environment does not change, (ii) In [1 j, for a problem of lO'^"^ states, under 8-thread parallelization, the total execution 
time is 3837 seconds, while resolving the deadlock of the 50 dining philosophers problem (a problem of lO'^^ states) is 
solved within 31 seconds using our monolithic engine. 

Lastly, the research of deadlock detection and mechanisms of deadlock avoidance is an important topic within the 
community of Petri nets (see survey paper [20 1 for details). Concerning synthesis, some theoretical results are available, 
e.g., [191, but efficient implementation efforts are, to our knowledge, lacking. 

VIII. Conclusion 

In this paper, we explain the underlying algorithm for priority synthesis and propose extensions to synthesize priorities 
for more complex systems. Figure [8] illustrates a potential flow of priority synthesis. A system can be first processed using 
data abstraction to create models suitable for our analysis framework. Besides the monolithic engine, two complementary 
techniques are available to further reduce the complexity of problem under analysis. Due to the stateless property and 
the fact that they preserve deadlock-freedom, priorities can be relatively easily implemented in a distributed setting. 

Appendix 

A. Data Processing Units in Digital Communication 

In digital communication, to increase the reliability of data processing units (DPUs), one common technique is to use 
multiple data sampling. We have used ViSSBIP to model the components and synchronization for a simplified DPU. In 
the model, two interrupts (Synchint and Serialint respectively) are invoked sequentially by a Master to read the 
data from a Sensor. The Master may miss any of the two interrupts. Therefore, Serialint records whether the 
interrupt from Synchint is lost in the same cycle. If it is missed, Serialint will assume that the two interrupts have 
read the same value in the two continuous cycles. According to the values read from the two continuous cycle. Master 
calculates the result. In case that the interrupt from Serialint is missing in the second cycle or both interrupts are 
missing in the first cycle. Master will not calculate anything. Ideally, the calculation result from Master should be 
the same as what is computed in Serialint. The mismatch will lead to global deadlocks. 

The synthesis of ViSSBIP focuses on the deadlock-freedom property. First, we have selected the non-optimized engine. 
ViSSBIP reports that it fails to generate priority rules to avoid deadlock, in 4.174 seconds with 168 BDD variables. 
Then we have selected the optimized engine and obtained the same result in 0.537 seconds with 116 BDD variables. 
The reason of the failure is that two contradictory priority rules are collected in the synthesis. Finally, we have allowed 
the engine to randomly select a priority between the contradicts (priority-repushing). A successful priority is finally 
reported in 1.134 seconds to avoid global deadlocks in the DPU case study. 

B. Compositional Priority Synthesis: A Preliminary Evaluation 

Lastly, we conduct preliminary evaluations on compositional synthesis using dining philosophers problem. Due to 
our system encoding, when decomposing the philosophers problem to two subproblems of equal size, compare the 
subproblem to the original problem, the number of BDD variables used in the encoding is only 22.5% less. This is 
because the saving is only by replacing component construction with the assumption; for interactions, they are all 
kept in the encoding of the subsystem. Therefore, if the problem size is not big enough, the total execution time for 
compositional synthesis is not superior than than monolithic method, as the time spent on inappropriate assumptions 



can be very costly. Still, we envision this methodology more applicable for larger examples, and it should be more 
applicable when the size of alphabet is small (but with lots of components). 
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